Get a certificate proxy » History » Version 6

Dominic Brailsford, 01/16/2018 02:02 PM

1 2 Gianluca Petrillo
h1. Get a SBND certificate and proxy
2 2 Gianluca Petrillo
3 5 Gianluca Petrillo
bq. Note: this page is about certificates and proxies to access grid resources. For "personal" certificates to access DocDB and web-based resources, you want a [[Setting up access with CILogon certificate|CILogon certificate]] instead.
4 5 Gianluca Petrillo
5 2 Gianluca Petrillo
h2. Virtual Organization membership
6 2 Gianluca Petrillo
7 2 Gianluca Petrillo
First, you need to be registered in the proper Virtual Organization, which in our case is a unsurprising @sbnd@.
8 2 Gianluca Petrillo
You can play some _roles_ in the organisation, and you need to choose which one to wear when getting a certificate proxy. Examples of roles are @Analysis@ (which you should pick if unsure) and @Production@.
9 2 Gianluca Petrillo
10 2 Gianluca Petrillo
You can check your status by pointing your browser to Fermilab VOMS server at . You will be required to present a certificate (the [[Setting up access with CILogon certificate|CILogon certificate]] is good enough for this), and from it the server will know who you are and will tell what you can do.
11 2 Gianluca Petrillo
12 3 Gianluca Petrillo
If you don't get the expected result (e.g., you are not listed in the @fermilab/sbnd@ group or you need to play a different role), [[Computing resources#Opening-a-ticket-in-Fermilab-Service-Desk|request the change via service desk]].
13 3 Gianluca Petrillo
14 2 Gianluca Petrillo
h2. Get the proxy
15 1 Gianluca Petrillo
16 1 Gianluca Petrillo
The ritual for getting the certificate and proxy goes like this:
17 1 Gianluca Petrillo
<pre>kinit "${USER}@FNAL.GOV"                                                     # get your Kerberos authentication
18 4 Gianluca Petrillo
setup cigetcert                                                              # (if not already there)
19 4 Gianluca Petrillo
cigetcert -s ''                                            # ask for a certificate
20 1 Gianluca Petrillo
voms-proxy-init -noregen -rfc -voms 'fermilab:/fermilab/sbnd/Role=Analysis'  # create a "proxy" from the certificate</pre>
21 1 Gianluca Petrillo
The last line of the output from this sequence should look something like:
22 1 Gianluca Petrillo
<pre>Your proxy is valid until Tue Sep 27 01:49:24 2016</pre>
23 1 Gianluca Petrillo
where the date is 24 hours in the future.
24 1 Gianluca Petrillo
This "proxy" is what we need to get our job done.
25 4 Gianluca Petrillo
The command <pre>voms-proxy-info -all</pre> will tell you more than you want to know about your current certificate.
26 6 Dominic Brailsford
27 6 Dominic Brailsford
h2. Production role jobs
28 6 Dominic Brailsford
29 6 Dominic Brailsford
h3. Getting production privileges
30 6 Dominic Brailsford
31 6 Dominic Brailsford
Submit a service desk ticket asking for production role privileges for SBND.  You will most likely have to add a computing coordinator to the watch list.
32 6 Dominic Brailsford
You then have to ask someone with access to the sbndpro account to add you to the k5login file.  The people to ask are the computing coordinators or the production coordinator(s).
33 6 Dominic Brailsford
You should then be able to ssh to an sbnd machine as the sbndpro user:
34 6 Dominic Brailsford
<pre> ssh -Y </pre>
35 6 Dominic Brailsford
36 6 Dominic Brailsford
h3. Getting the production proxy (old-school method)
37 6 Dominic Brailsford
38 6 Dominic Brailsford
<pre>kx509; voms-proxy-init -noregen -rfc -voms 'fermilab:/fermilab/sbnd/Role=Production' </pre>
39 6 Dominic Brailsford
You should now be able to submit production jobs.
40 6 Dominic Brailsford
41 6 Dominic Brailsford
42 6 Dominic Brailsford
h3. Getting the production proxy (the new method)
43 6 Dominic Brailsford
44 6 Dominic Brailsford
A much easier alternative to getting production-role access is to use the production proxy certificate that is pushed to the gpvm several times a day, courtesy of the SCD.  The certificate is only accessible from the sbndpro account.  Here is some fine print, sent from Kevin Retzke when this method was setup on the sbndgpvms:
45 6 Dominic Brailsford
46 6 Dominic Brailsford
47 6 Dominic Brailsford
Some requirement/fine print: 
48 6 Dominic Brailsford
49 6 Dominic Brailsford
1. We only offer the service for service accounts that are abiding by cs-docdb 5644 and its addendums. These requirements include, but are not limited to: 
50 6 Dominic Brailsford
* No more than ten people from the experiment are allowed in the .k5login file at any time. USDC members do not count against the limit. 
51 6 Dominic Brailsford
* The cert and key files should never be sent over a network via any unencrypted means, especially as email attachments. 
52 6 Dominic Brailsford
53 6 Dominic Brailsford
2. Our service principal (monitor/gcso/ needs to be added to the .k5login of the production account on each target machines. 
54 6 Dominic Brailsford
55 6 Dominic Brailsford
3. The destination directory (we typically use /opt/accountname) needs to be created on each target machine, owned by the production account. 
56 6 Dominic Brailsford
57 6 Dominic Brailsford
4. Someone with the production role must be designated to have the service certificate registered under in VOMS. 
58 6 Dominic Brailsford
59 6 Dominic Brailsford
The certificate has to be registered to someone.  At time of writing, the certificate is registered to Dominic Brailsford.
60 6 Dominic Brailsford
61 6 Dominic Brailsford
To use the certificate, make sure the following environment variable is set:
62 6 Dominic Brailsford
63 6 Dominic Brailsford
64 6 Dominic Brailsford
At time of writing, the .profile file for sbndpro should setup the X509_USER_PROXY environment variable so hopefully you don't need to do anything!  Once X509_USER_PROXY is set, you are able to submit production jobs (no need to use the old-school method as well!)